Apache HTTP Server 2.2.18 Released

                       Apache HTTP Server 2.2.18 Released

   The Apache Software Foundation and the Apache HTTP Server Project are
   pleased to announce the release of version 2.2.18 of the Apache HTTP
   Server ("Apache").  This version of Apache is principally a bug fix
   release, and a security fix release of the APR 1.4.4 dependency;

     * SECURITY: CVE-2011-0419 (cve.mitre.org)
       apr_fnmatch flaw leads to mod_autoindex remote DoS
       Where mod_autoindex is enabled, and a directory indexed by
       mod_autoindex contained files with sufficiently long names,
       a carefully crafted request may cause excessive CPU usage
       Upgrading to APR 1.4.4, or setting the 'IgnoreClient' option
       of the 'IndexOptions' directive circumvents this risk.

   We consider this release to be the best version of Apache available, and
   encourage users of all prior versions to upgrade.

   Apache HTTP Server 2.2.18 is available for download from:

     http://httpd.apache.org/download.cgi

   Please see the CHANGES_2.2 file, linked from the download page, for a
   full list of changes.  A condensed list, CHANGES_2.2.18 provides the
   complete list of changes since 2.2.17.  A summary of all of the security
   vulnerabilities addressed in this and earlier releases is available:

     http://httpd.apache.org/security/vulnerabilities_22.html

   This release includes the Apache Portable Runtime (APR) version 1.4.4